[PATCH 06/11] wifi: mac80211: Fix elements scratch buffer allocation

gregory.greenman@xxxxxxxxx · Thu, 4 May 2023 16:45:06 +0300

From: Ilan Peer <ilan.peer@xxxxxxxxx>

Current code allocated a scratch buffer that is the length
of the elements. However this is not sufficient as the
defragmentation can happen in the following places concurrently:

- MBSSID element defragmentation
- EHT ML element defragmentation
- EHT ML element sub element defragmentation

Fix the length and the scratch buffer allocation to allow
up to 3 defragmentations.

While at it remove the 'scratch_len' field from
'struct ieee80211_elems_parse_params' as it is not
really needed or used.

Fixes: ff05d4b45dd8 ("wifi: mac80211: fix MBSSID parsing use-after-free")
Signed-off-by: Ilan Peer <ilan.peer@xxxxxxxxx>
Signed-off-by: Gregory Greenman <gregory.greenman@xxxxxxxxx>
---
 net/mac80211/ieee80211_i.h | 3 ---
 net/mac80211/util.c        | 2 +-
 2 files changed, 1 insertion(+), 4 deletions(-)

diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index b0372e76f373..e67c5c754be1 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -2269,8 +2269,6 @@ static inline void ieee80211_tx_skb(struct ieee80211_sub_if_data *sdata,
  *	(or re-association) response frame if this is given
  * @from_ap: frame is received from an AP (currently used only
  *	for EHT capabilities parsing)
- * @scratch_len: if non zero, specifies the requested length of the scratch
- *      buffer; otherwise, 'len' is used.
  */
 struct ieee80211_elems_parse_params {
 	const u8 *start;
@@ -2281,7 +2279,6 @@ struct ieee80211_elems_parse_params {
 	struct cfg80211_bss *bss;
 	int link_id;
 	bool from_ap;
-	size_t scratch_len;
 };
 
 struct ieee802_11_elems *
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index ead4b095cc4d..b0c035cf13da 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -1604,7 +1604,7 @@ ieee802_11_parse_elems_full(struct ieee80211_elems_parse_params *params)
 	const struct element *non_inherit = NULL;
 	u8 *nontransmitted_profile;
 	int nontransmitted_profile_len = 0;
-	size_t scratch_len = params->scratch_len ?: 3 * params->len;
+	size_t scratch_len = 3 * params->len;
 
 	elems = kzalloc(sizeof(*elems) + scratch_len, GFP_ATOMIC);
 	if (!elems)
-- 
2.38.1







